Most shocking noob mistake you've seen on a major website?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
Josh1billion
Forum Contributor
Posts: 316
Joined: Tue Sep 11, 2007 3:25 pm

Most shocking noob mistake you've seen on a major website?

Post by Josh1billion »

Back in the day (around 2000), Echelon (now known as Swirve), the company that created Utopia and Earth 2025 (well-known browser-based games), had a free forum service that I used for a while. Good forum service overall, but something I look back on today and think "wtf were they thinking??": they didn't use cookies, nor sessions. Nope, your username and password were stored as string queries ($_GET variables), completely unencrypted. So if you went to copy-and-paste a link for a particular thread, and forgot to remove the &username=blah&password=blah from the URL.. danger! That actually happened to me once.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Wow. I never even did that with my most basic learning php scripts. I did however store passwords in a database table in plain text.

Anyhoo, most production level sites have their error reporting turned off, so it's hard to see errors that aren't obvious in design like the one you mentioned. The most I got is just seeing undefined variable notices.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I took out a live site that has over 500k hits an hour with 4mil users for about 30 minutes because the stupid FTP client that they wanted me to use was finicky.. The cause? I was moving the mouse and accidentally clicked at just the right time to cause the FTP client to *think* that I wanted to drag & drop the config directory into another. Not knowing where the hell it put it, and being as there were hundreds of directories, I had to re-upload the entire folder from backup. With the amount of money this site made, that could have easily been a $10k mistake or more.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Not so much my mistake, but I've come across systems that previous coders had done which stored credit card details in plain text. I quit the next day. How can anyone work with those kinds of business ethics?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I think my biggest issue was leaving database error statements inside of die() calls that were totally unnecessary (error handling would have been a lot better than die()).
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Jcart wrote:Not so much my mistake, but I've come across systems that previous coders had done which stored credit card details in plain text. I quit the next day. How can anyone work with those kinds of business ethics?
Whoa, what did you say before you quit? How long had you been working there?
I think my biggest issue was leaving database error statements inside of die() calls that were totally unnecessary (error handling would have been a lot better than die()).
Yeah we've all done that it's the classic way people are taught PHP.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

In or around 2002ish the CodeProject.com had a bit of hiccup because some goof ball used the JS (which was allowed if I remember correctly) in his signature to switch the banner ads...

So for an hour or so when you logged onto CP instead of seeing banner ads for Dundas Charts, or ASP.NET tool, etc...I seen banner ads of my *other* favorite kind of sites. :P Because I appreciate CP...I did not sign up for any free accounts. :P
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Late 2005 i noticed that a couple of friends doing an internship at [url=http:/www.unesco.org]UNESCO[/url] didn't even know about sql injection... But i think the defacing of that site made news covers :D
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

I don't know if you chaps have heard of BACS? ( http://en.wikipedia.org/wiki/BACS ) basically just about every company in the UK uses it to pay it's employees, and other beneficiaries, money (salaries, trades, loans, etc.)

My role involved supporting the system for a very large company, and it's subsidiary clients and child-companies. Anyway, to cut a long story short, this involved 200 employees cutting and pasting data from many files to a shared spreadsheet, then sending me the spreadsheet which I then exported as a CSV, ftp'd to the transfer server and submitted a BACS job. The sharp witted may have already spotted a huge margin for human error.. missed payments were very common, the worst being a £66million payment from one bank to another, which incurred a HUGE fine nearly doubling the cost, all because a line was missed when copying and pasting.

The catch? There was literally millions of pounds per month passing thorugh my hands. A few things with that, none of the data was encrypted, all plain text, I had every employees (and client) bank details, including how much they earn (my company always made it a hoo-hah that no one knows what their peers are earning) and to top it all off, the only verfification needed in these files was that each file submitted has a "total" in the header, and the list of payments underneath. Some files has as much as 50,000 lines of payments. 5p off of each line, tallied into an extra line which just so happened to have my Cayman Islands bank details in and I would have been a very, very rich man very, very quickly. Good thing I am honest, eh?
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Jenk wrote:5p off of each line, tallied into an extra line which just so happened to have my Cayman Islands bank details in and I would have been a very, very rich man very, very quickly. Good thing I am honest, eh?
Yeah sure! You are writing this from some nice white beach somewhere in the pacific.
You just pretend not to, to prevent Scotland yard finding out your whereabouts.. :)
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Office Space esque. LOL
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

ole wrote:
Jcart wrote:Not so much my mistake, but I've come across systems that previous coders had done which stored credit card details in plain text. I quit the next day. How can anyone work with those kinds of business ethics?
Whoa, what did you say before you quit? How long had you been working there?
Gave him the usual crap about personal security and identity theft, etc, etc. Once he told me he pretty much didn't care about his user's security and nothing bad will happen with the stored credit numbers I quit right there and told him I was reporting his website in a month so I hope he'd changed his mind by then. I regret not reporting his business right there.

I wonder how many other sites that you can supposedly "trust" with your financial details. Much of the reason I have a paypal account and will never input my credit card details anymore.

EDIT | Wow just read Jenk's and that sure beats the crap out of my story.
Post Reply